Skip to content

feat(intel): cross-reference threat intel tool (CentinelaCI bridge)#1

Open
kmazara89 wants to merge 2 commits into
mainfrom
feature/cross-reference-intel
Open

feat(intel): cross-reference threat intel tool (CentinelaCI bridge)#1
kmazara89 wants to merge 2 commits into
mainfrom
feature/cross-reference-intel

Conversation

@kmazara89

Copy link
Copy Markdown

Summary

Adds a seventh tool, cross-reference-intel, that bridges live CentinelaCI threat intelligence into the user's own Elasticsearch data — answering "have these threats been seen in my environment?".

  • centinela-client: lazy JWT login with token caching and one-shot 401 re-auth; tolerant snake_case/camelCase parsing for /iocs and /vulns/top.
  • cross-reference-intel tool: pulls prioritised CVEs (context) + IOCs, then checks each indicator against the relevant ECS fields via ES|QL. Degrades gracefully — unconfigured intel returns a clear instruction, ES|QL failures are treated as "not seen here" rather than errors, CVE-type indicators are skipped.
  • Config: CENTINELA_API_URL / CENTINELA_API_PASSWORD (optional CENTINELA_API_USERNAME). Unset leaves the tool registered but inert.
  • Docs: README + docs/features.md updated to cover the new headless (model-only) tool; .env.example documents the config.

Test plan

  • npx tsc --noEmit — clean
  • eslint on intel files — clean
  • 27 unit tests (centinela-client, cross-reference-intel) passing
  • 20 server integration tests passing (tool registration)

🤖 Generated with Claude Code

kmazara89 and others added 2 commits June 29, 2026 10:30
…at intel

Pull live threat intelligence (prioritised CVEs and IOCs) from the
CentinelaCI REST API and ground it in the user's Elasticsearch data:
each indicator is checked against the relevant ECS fields via ES|QL so
the model can answer "have these threats been seen in my environment".

- centinela-client: lazy JWT login with token caching and one-shot
  401 re-auth; tolerant snake_case/camelCase parsing for /iocs and
  /vulns/top.
- cross-reference-intel tool: degrades gracefully when intel isn't
  configured, maps IOC types to ECS fields, and treats ES|QL failures
  as "not seen here" rather than erroring.
- Configured via CENTINELA_API_URL / CENTINELA_API_PASSWORD (optional
  CENTINELA_API_USERNAME); unset leaves the tool registered but inert.
- Unit tests for both files plus integration-test coverage of registration.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The README claimed "six tools" and features.md omitted the new headless
threat-intel bridge. Note it as a seventh, headless (model-only) tool and
add a full features.md section covering intel pull, IOC-to-ECS matching,
graceful degradation, and the CENTINELA_* configuration.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant